Using Kerberos Authentication in Scheduler Without Joining a Kerberos Realm

Both the Sheduler server and the administration tool can use the authentication method provided by a Kerberos realm (e.g. a Windows Active Directory domain), even if the servers where the Scheduler server and the Scheduler administration tool (they can be the same or different servers) run do not join this realm. To be able to do this, you have to add some properties to the Denodo configuration scripts. Follow these steps:

  1. Open the Denodo Control Center.
  2. Click Configure.
  3. Click JVM Options.
  4. In the Web Container box (for the Scheduler administration tool) and in the Scheduler Server box (for the Scheduler server), add the following (do not remove the existing content of this field):
-Djava.security.krb5.realm=<domain realm> -Djava.security.krb5.kdc=<Key distribution center 1>[:<key distribution center>]+
For example,
-Djava.security.krb5.realm=CONTOSO.COM -Djava.security.krb5.kdc=dc-01.contoso.com
If there is more than one key distribution center (kdc) in your domain, add it to the property java.security.krb5.kdc separated by a colon. For example:
-Djava.security.krb5.realm=CONTOSO.COM -Djava.security.krb5.kdc=dc-01.contoso.com:dc-02.contoso.com
  1. To apply these changes, stop all the Denodo Platform servers and once they are all stopped, start them again. It is important to stop them all so the Denodo web container is stopped as well. If for example, you leave the Information Self-Service started the web container will not shut down and these changes will not take effect.

If the Scheduler server or the Scheduler administration tool are running on a “headless” host (i.e. a host without graphical support), you cannot launch the Control Center. Instead, to set the Kerberos system properties do the following:

  1. For the Scheduler administration tool, edit the file <DENODO_HOME>/resources/apache-tomcat/tomcat.properties
  2. For the Scheduler server, edit the file <DENODO_HOME>/conf/scheduler/ConfigurationParameters.properties
  3. Add to the java.env.DENODO_OPTS_START property of each file, the properties java.security.krb5.realm and java.security.krb5.kdc with the values explained above.
  4. Execute <DENODO_HOME>/bin/regenerateFiles.sh
  5. To apply these changes, stop all the Denodo Platform servers and once they are all stopped, start them again. It is important to stop them all so the Denodo web container is stopped as well. If for example, you leave the Information Self-Service started the web container will not shut down and these changes will not take effect.

As already stated you only have to run these steps in the Scheduler server and/or Scheduler administration tool installations.

After performing these steps, configure the Scheduler administration tool and the Scheduler server to use Kerberos authentication.